Juniper Gets Ready to Roll UAC 2.0

Network access control tech race set to accelerate at Interop.

Network Access Control (NAC) is quickly becoming a
generic term for a wide swatch of network access control technologies from
various vendors.

Related Articles

It's important to note that NAC as a technology is a term
used by Cisco for its product.

Rather than fall in line with the generic, Cisco's lead rival, Juniper
Networks , is pushing its own term for access control,
which it has dubbed Unified Access Control or UAC for short.

Juniper is
planning on using next week's Interop trade show in New York as a showcase
for its next-generation UAC 2.0 initiative.

Karthik Krishnan, Juniper Networks' UAC product manager, explained to
internetnews.com that Juniper originally announced UAC late last
year.

Currently UAC is in version 1.2, which is what Juniper will be
showing in its booth while the next generation 2.0 will be showcased at the
InteropLabs demo, which itself is a showcase of networking
technologies.

The UAC 2.0 solution will bolt on the new 802.1x technologies that Juniper gained with its acquisition of Funk Software.
The 802.1x IEEE standard provides for port-based security.

"What this really provides us with is the ability to provide access control
across the entire duration of a user's access to the network," Krishnan
explained.

"Prior to them even getting an IP address it provides the ability
to validate the end point and the ability to validate the user identity and
allow them onto the network."

Once users are on a network, they can take advantage of the existing
functionality in Juniper's infrastructure products to provide controlled
access to resources and applications in a very granular format.

Juniper's UAC is also supporting at least two of the Trusted Network Connect
(TNC) standards. TNC is an effort to provide open standards for access
control. Krishnan noted that there are two TNC specifications that are
relevant to UAC, which Juniper supports.

"The first thing is just using RADIUS assignments for VLAN
attributes across heterogeneous networks," Krishnan explained.

"So by supporting the TNC specification, we are able to use the Infranet
controller to set standard allow/deny decisions on any vendors' 802.1x switch
or access point."

The ability to allow customers to leverage their existing infrastructures is
a critical element of UAC, according to Krishnan. In his view, customers don't
want to necessarily change to a single vendor solution just to make network
control happen.

The other key TNC specification is one for endpoint solutions to plug into
an access control framework.

The net effect of the TNC endpoint spec is that
any endpoint solutions, regardless if whether it's patch management or antivirus, will have the ability to write to a single set of APIs and be able to
leverage that against all of the NAC solutions.

Network access control solutions recently came under fire at the Black Hat conference in Las Vegas, where Ofir Arkin, CTO of security
research firm Insightix, explained how easy it was to bypass many non 802.1x
NAC-type solutions.

"We've taken a lot of pains to make sure the solution is secure and that it
can't be bypassed," Krishnan said.

One of those "pains" is to not use some manner of DHCP method
for authentication.

DHCP approaches to NAC were ridiculed by Arkin at Black
Hat as being inherently insecure.

"One of the reasons we haven't done DHCP is that you can bypass it; it's
just not very secure," Krishnan agreed. "It really provides you with a
phantom illusion of access control when you're not really getting it in the
network."

Krishnan also took aim at the notion that only Cisco will interoperate with
Microsoft's version of access control called Network Address Protection
(NAP).

"We don't have an announcement at this time but are having ongoing
conversations with Microsoft," Krishnan said.

"And given that Longhorn
Server isn't due till the second half of '07, I expect that when Microsoft
actually ships NAP we will have all sorts of integration with the solution."

One of the biggest obstacles to access control adoption for Juniper isn't
necessarily the technology; it's the crowded nature of the NAC marketplace
itself.

"The critical thing is to rise above the noise," Krishnan said. "Every
vendor is claiming to have a NAC solution."

Juniper is expected to release UAC 2 to the marketplace in the fourth
quarter of this year.

techjournalist@resultsoverhead.com

Please enable Javascript in your browser, before you post the comment! Now Javascript is disabled.